Kerberos Max Token Size

Posted on March 22, 2010 by Michel de Rooij

Ok, not directly Exchange related but an issue I’d like to share. In one of my earlier articles you can read I’m working on on a project where we’ll be performing a cross-forest migration of accounts and Exchange mailboxes. Migrating the Active Directory user accounts is done using ADMT v3.1 with SIDHistory. No problem so far, until we noticed some migrated users weren’t receiving Group Policy Objects and experienced authorization errors from time to time. After identifying several users experiencing similar issues, we noticed the following common eventlog entries:

System eventlog (the number 3888 varied):

Event ID : 6
Source : Kerberos
The kerberos SSPI package generated an output token of size 3888 bytes, which was too large to fit in the 2e00 buffer buffer provided by process id 0. If the condition persists, please contact your system administrator.

The Application eventlog contained the following event:

Event ID : 1053
Source : UserEnv
Windows cannot determine the user or computer name. (). Group Policy processing aborted.

Turns out, Kerberos is the culprit. GPO processing aborted because their Kerberos information exceeded the maximum Kerberos token size. This problem may occur when users belong to (too) many groups (.. don’t ask). In addition, memberships coming from SIDhistory are also added to the token, roughly doubling numbers.

As MS KB articles 263693 and 327825 suggest, we raised the MaxTokenSize limited to 65535 (0xFFFF) in the following registry location (if the value is not present, create it as REG_DWORD):

HKLM\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters\MaxTokenSize

After a restart, all problems were gone. This isn’t a standard GPO setting; when required, you need to create an .adm GPO template yourself which is described in KB article 938118. Hope you’ll find this information useful to keep in mind when performing your ADMT scenarios at clients with excessive group usage.

Windows Mobile 6.1 update for Exchange 2010

Posted on March 20, 2010 by Michel de Rooij

An update for Outlook Mobile has been released for Windows Mobile 6.1 users who connect to Exchange 2010; users running Windows Mobile 6.5+ do not need this update. This update adds the following functionality to Windows Mobile 6.1:

E-mails conversation view
Free/Busy lookup
Sync text messages to Exchange
Enhanced Voice Mail, e.g. Unified Messaging voice mail preview

More information with screenshots in the related Exchange Team blog here. When your Windows Mobile 6.1 phone is connected to Exchange Server 2010, you are automatically informed if there is an update.

Exchange 2007 SP2 Rollup 3

Posted on March 18, 2010 by Michel de Rooij

Microsoft released Rollup 3 for Exchange Server 2007 Service Pack 2 (KB979784). This update raises Exchange 2007 version number to 8.2.247.2.

Here’s the list of changes included in this rollup (KB979784):

976108 “451 4.4.0 DNS Query Failed” status message in an Exchange Server 2007 Edge Transport server
976460 Later updates do not match a calendar item that an Exchange Server 2007 user updates by using Exchange ActiveSync on a mobile device
977179 You receive an “0x800423f0” error message when you perform system state backups on the passive node of Windows Server 2008-based Exchange Server 2007 CCR clusters
977531 An external recipient misses the last occurrence of a recurring meeting request or a recurring appointment that is sent from an Exchange Server 2007 user
977923 The Edgetransport.exe process crash when it process meeting requests in Exchange Server 2007
978137 The subject of a confirmation message is garbled for certain languages when a remote device wipe operation is performed in Exchange Server 2007
978200 The sender address of a forwarded meeting request does not include “on behalf of” as expected in an Exchange Server 2003 organization and an Exchange Server 2007 organization mixed environment
978253 A SSL certificate validation error is generated on an Exchange Server 2007 server when you run any test commands after you run the Test-SystemHealth command
978469 A mailbox that was moved from an Exchange Server 2007 server to an Exchange Server 2010 server cannot be accessed by using Outlook
978517 The Microsoft Exchange Information Store service stops responding on an Exchange Server 2007 server
978521 The synchronization and the reconciliation between Microsoft Office Outlook and a BlackBerry mobile device fails when a mailbox is moved around between two Exchange Server 2007
978528 The Microsoft Exchange Information Store service crashes on a Microsoft Exchange Server 2007 server when a user tries to access a specific calendar item
978832 Read items are marked incorrectly as unread items in an Exchange Server 2007 public folder
979055 A delegate cannot save three settings of Resource Settings for an Exchange Server 2007 resource mailbox in OWA
979170 You receive an error message when you use ExBPA to schedule a scan on an Exchange Server 2007 SP2 server
979219 The store.exe process hangs on an Exchange Server 2007 server

To download the x64 or x86 version of Exchange 2007 rollup 3, click here. The Exchange versions, builds and dates table has been updated accordingly and can be found here.

Exchange 2010 Mailbox Role Calculator 6.1

Posted on March 17, 2010 by Michel de Rooij

Again the Microsoft Exchange Team worked hard to improve the Exchange Mailbox Role Calculator even more with the release of version 6.1, 1 month after the 4.5 update. This version includes the following enhancements since 4.5:

Option to select requested storage design, also to prevent logic issues with the calculator suggesting 0 (zero) disks. You have the option to select the storage design As Calculated, Entirely on RAID or Entirely on JBOD;
Simplified messaging profiles (e.g. “100 messages” instead of “20 sent/80 received”) as it doesn’t influence the IO and capacity calculations;
Some improvements and additions in layout and information displayed (e.g. Environment Configuration, Role Requirements Results).

For an extensive overview of the changes and fixes (e.g. zero disk issue), consult the Exchange Team’s changeblog here.

You can download the calculator here. Instructions on usage can be found here.

Exchange Scalability Limits Worksheet

Posted on March 15, 2010 by Michel de Rooij

Last Friday, the Exchange team published the initial version of an Excel worksheet describing the scalability limits and recommendations of Exchange 2007 SP2 versus Exchange 2010. It shows to which Exchange version the limit applies, the area, the limitation itself, a description of the underlying issue and where possible mitigations to increase (or lower if you want) the (default) limit. Note that it not only describes the Exchange Server software, but also limitations caused by the underlying Operating System, off- and on-premise usage and running in large organizations. Great info for sizing large scale implementations and deployments!

You can download the Exchange Scalability Limits Worksheet here. The Exchange team welcomes comments and feedback.